Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.


Sometimes, you need to read between the lines when going over an End-user license agreement (EULA), but FrameFox (aka Duquu) has passed that stage. They must rely on the fact that nobody ever reads them anyway.

EULA

The EULA for FrameFox can be found at www[dot]framefox[dot]com/#/terms if you can reach it. I have to point that out since Malwarebytes Ant-Malware Premiuim’s web protection blocks that domain. What immediately jumped out was this snippet:

threat

Uninstallation and Disabling Methods

The User acknowledges and agrees that as some third-party applications do not allow FrameFox’s software install or run correctly, the User explicitly consents to FrameFox having rights in its sole discretion to in listed below but not limited to:

block, uninstall or change a third-party applications and files on the User’s computer which FrameFox finds incompatible with its software;

That is a direct threat to any anti-malware or other protection software trying to remove FrameFox from the user’s computer. They will remove you first if they get the chance. It goes on to list in which ways it allows itself to go about this:

  • disable third-party application updates;
  • disable startup programs in computer operating systems;
  • modify DNS (Domain Name System) on the local system;

And then goes on to deny all liability for these actions. This is yet another example of adware that has the potential to leave the victims computer open to worse infections. So far I have not seen any examples of software that they choose to disable, but we are always curious to hear these from you.

Arsenal

What does the installer put on your system with which they can hope to achieve this task?

  • Two services, both dubbed “Duuqu Update Service” (defined under dqupdate and dqupdatem in the registry) and both pointing to the same file “C:\Program Files (x86)\Duuqu\Update\DuuquUpdate.exe”.
  • One Run-key entry for the file “C:\Program Files (x86)\FrameFox\framefox.exe”.
  • And two Scheduled Tasks called “DuuquUpdateTaskMachineCore” and “DuuquUpdateTaskMachineUA” both pointing to the same file as the services described above.
  • Browser Extensions for Firefox and Chrome.

warning5

The Chrome extension of FrameFox Shop

Removal

Malwarebytes Anti-Malware detects and removes “FrameFox Shop” as PUP.Optional.Duuqu and PUP.Optional.FrameFox. A full removal guide can be found on our forums. The installer I used has been spotted with the file names:

  • DuuquUpdateSetup.exe
  • FrameFoxShopSetup.exe

Summary

We had a look at one of the most outrageous EULA’s we have seen so far. FrameFox aka Duuqu steals the show and gets nominated in the “Most aggressive” category.

As always: Save yourself the hassle and get protected.

 

Pieter Arntz